FIDO is the pathway to nixing passwords. Tom Merritt explains why, because of the FIDO project, this dream is not only possible but getting closer.
Fido is a dog, but FIDO--all caps--is the pathway to the elimination of the password. Imagine it. A world where you no longer have to remember the phrase CorrectHorseBatteryStaple with the es replaced by 3s in order to log in to... anything.
This dream is not only possible but getting closer.
SEE: Information security policy (Tech Pro Research)
Here are five things to know about the FIDO project.
- No company owns it. It's a 501(c)6 nonprofit organization formed in July 2012. Organizations like multiple banks, device makers, and telcos around the world have pledged to adopt FIDO, including Samsung, JD.com, China Telecom, Bank of America, Google, Microsoft, Salesforce, and more.
- It works to make standards. FIDO is putting its WebAuthn standard for password-free web authentication through the W3C standards process. It hit the Candidate Recommendation stage in April 2018.
- It has support. Microsoft is integrating it with Windows Hello. Firefox, Chrome, and Edge all have support in place or on the way. And Apple's Safari engineers are part of the WebAuthn working group under FIDO.
- It's simple and flexible. Since the work is done in the browser, it can work with whatever the user has--fingerprint readers or facial recognition or a YubiKey or even something yet to be invented.
- It's strong. User credentials do not need to leave the user's device and are never stored on servers. It's a zero-knowledge proof. The app or browser does the work of matching the credential with the service in a way that protects against phishing and man-in-the-middle attacks.
Yes, it takes a lot to make the world's largest companies decide to play nice together on something, but frustration with passwords looks to be the kind of thing that can.
It's a slow kill, but the death of the password is coming.
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- How to use a VPN to protect your internet privacy (ZDNet)
- 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
- Privacy, identity 'impossible to protect' say 74% of security pros (TechRepublic)
- It takes work to keep your data private online. These apps can help (CNET)
- Keep your files and messages private with these encryption apps (Download.com)